Upgrade to Pro — share decks privately, control downloads, hide ads and more …


November 12, 2019


A presentation in Power of Community 2019 held in South Korea with topic hunting vulnerability in Antivirus products.


November 12, 2019

More Decks by Nafiez

Other Decks in Research


  1. ABOUT US! NAFIEZ An independent security researcher. Interested in vulnerability

    research and reverse engineering. JAAN YEH More than 10 years experienced in Antivirus field. Reverse engineering and exploit analysis.
  2. TABLE OF CONTENTS GENERAL DISCUSSIONS Technology, benefits and security perspective.

    WHAT MAKES THEM FAIL? Why it keep failing for many years? 01 03 02 04 05 VULNERABILITY HUNTING Hunting down and dive into AV vulnerability VULNERABILITY ANALYSIS & EXPLOITATION General discussion of our findings CONCLUSION Best defense is offense.

    Mehta ◦ https://www.blackhat.com/presentations/bh-europe-05/bh-eu-05-wheeler-mehta-up.pdf • Feng Xue ◦ https://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf • MJ011 ◦ http://powerofcommunity.net/poc2010/mj0011.pdf • Joxean Koret ◦ http://joxeankoret.com/download/breaking_av_software_44con.pdf • Tavis Ormandy ◦ https://lock.cmpxchg8b.com/sophailv2.pdf • Alexei Bulazel ◦ https://i.blackhat.com/us-18/Thu-August-9/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Em ulator.pdf • Wayne Low & Yang YongJian ◦ https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/The%20Dawn%20of%20AV%20Self-Protection.pdf • Buherator ◦ https://github.com/v-p-b/kaspy_toolz/raw/master/S2_EUSKALHACK_Self-defenseless.pdf • etc.
  4. THE EVOLUTION OF ANTIVIRUSES MALWARE Malware getting smart. Threat actors

    implement malware with 0-days. TECHNOLOGY Machine Learning & Artificial Intelligence adapted in security. Vendors uses it to study malware. HUMAN Humans needs security in their daily life. Threats became smarter, that includes IoT.


    people to analyze samples. SIGNATURE Using signature-based detection. HEURISTIC Using heuristic-based detection. CLOUD Requires submission to their cloud program, collection information, etc.
  7. WHY? ENGINE Widely used AV engines by other products. Bigger

    attack surface. Some implement their engines but limited. AUDIT Vendors fail to securely audit their products. Too many products released leave many loopholes. VULNERABILITY Failure in detecting 0-day or unknown vulnerability. AV product itself contained unknown vulnerabilities. FEATURES Many features in one single product. These features are likely to be abuse. TRICKS It is relying on traditional detections. Thus, tricking the AV can lead to bypassing.
  8. WELL-KNOWN ISSUES 5 Unknow n Behavior 4 False Positive 3

    Evasion (False Negative) Organization Control 2 1 Delayed Database Update
  9. Archives Support various types of compression file archives Packer Support

    various packers including UPX, ASPack, etc. ATTACK SURFACE… CORE ANTIVIRUS Language Written in C / C++ / C# File Formats Support multiple formats, including word processing, PDF, etc. Scanners Various types, on-access, on-demand Features All in one product, featuring anti-rootkit, performance optimization, etc. Emulators Implementing emulators that supports emulating x86, etc. Engine Internal engine and external (sharing) engine Kernel Windows drivers including filter, network, etc.
  10. TYPES OF ATTACKS PERMISSION ISSUE Allow gaining the higher privilege

    of the system to fully control the target PRIVILEGE ESCALATION REMOTE BASED Achievable by tricking target or non-interaction code execution PARSERS & ARCHIVES BOMBING Uses old method by using archive bombing to delay scanning process or immediately kill the product (OOB, OOM, Stack / Buffer Overflow, NULL Pointer, etc.) Leveraging permission issue to achieve control/execution LOGIC BUGS Abusing features without actually relying on memory corruption issues DENIAL OF SERVICE Abusing the vulnerability via multiple ways such as kernel BSOD
  11. Now we know the attack surfaces, but how does it

    work? Let’s go back to basics…
  12. HUNTING - KERNEL DRIVER • Understanding of Windows Internals ◦

    MSDN, Debugging, Userland, Kernel land, Traditional and (Virtualization) Modern architectures, etc. • Understanding of Windows drivers ◦ Windows Driver Model (WDM) ◦ Windows Driver Frameworks (WDF) • Basic driver structures ◦ DriverEntry, Device Objects, IRP functions, IOCTL codes • Various types of Windows kernel issue ◦ IOCTL Handling, Insecure Permission, ACL Bypass, etc.
  13. HUNTING #1 - KERNEL DRIVER - IOCTL • Good examples

    of finding IOCTL via automated process ◦ https://github.com/nccgroup/DriverBuddy ◦ https://labs.f-secure.com/tools/win-driver-tool/ ◦ https://brundlelab.wordpress.com/2013/02/02/show-me-your-ioctlcodes/ • Please note that some of these automated tools can’t really find the exact IOCTL :)

    device object's FILE_DEVICE_SECURE_OPEN characteristic is set, the system applies the device object's security descriptor to all file open requests in the device's namespace. Drivers can set FILE_DEVICE_SECURE_OPEN when they create the device object with IoCreateDevice or IoCreateDeviceSecure.” https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-namespace-access
  15. HUNTING - NAMED PIPE • One-way or duplex pipe for

    communication between the pipe server and one or more pipe clients • Any process can access named pipes, subject to security checks, making named pipes an easy form of communication between processes. • Service that can be abused, to gain privilege escalation and arbitrary code execution. ◦ These days we see many named pipe abuse via WCF :) • Named pipe has its own DACL and almost similar to file system permissions. ◦ Perform an access check before granting access to the object • For some case, it works via network ◦ Could allow performing remote code execution too, which is a huge attack surface • Developer can specify a security descriptor for a named pipe. ◦ The security descriptor controls access to both client and server ends of the named pipe. • MSDN has enough information to understand how it works.
  16. HUNTING #2 - NAMED PIPE • A collision bug found

    by us and hyp3rlinx ◦ It turns out he found it first and released the advisory. • The issue is due to a NULL DACL (RW Everyone) resulting in a system scan Denial Of Service vulnerability for both of the endpoint protection programs. • The named pipe is remotely accessible. Further investigation found the PIPE_REJECT_REMOTE_CLIENTS and FILE_FLAG_FIRST_PIPE_INSTANCE is not present. http://hyp3rlinx.altervista.org/advisories/CISCO-IMMUNET-AND-CISCO-AMP-FOR-ENDPOINTS-SYSTEM-SCAN-DENIAL-OF-SERVICE.txt
  17. HUNTING - INSECURE PERMISSIONS • Access to files (securable objects)

    is regulated by the access-control model that governs access to all other securable objects in Windows. • A security descriptor can be defined for a file and directory. ◦ If sets NULL, file and directory will get a default security descriptor. • Access Control Lists (ACL) in the default security descriptor for a file and directory are inherited from its parent directory. • 3rd party software installation plays a big role to define its security descriptor. • Abusing insecure permission sometimes lead to privilege escalation or even arbitrary code execution • Plenty of areas that can be abuse including: ◦ File system, Registry, Named Pipe, Driver, Services
  18. HUNTING - LOGICAL BUGS • Subverting the programmer’s original logic

    rather than abusing unintended behavior • Logical bugs usually lead to privilege escalation ◦ Everything is about Windows Privileges ◦ Complex + Hard to fix • It consistx of various bug class list including ◦ File path abuse, Impersonation, Insecure Kernel Resource Access and COM • Hunting logical bugs in AV is quite trivial, especially on file path abuse ◦ Elevation of Privilege ◦ Arbitrary file write ◦ Arbitrary file delete • For some cases, folder permissions granted to “Everyone”, but the folder is protected by another process of AV (self-defense mechanism).
  19. HUNTING - DLL PLANTING • Application can control the location

    from which a DLL is loaded ◦ Either specify a full path or using another mechanism such as manifest • If application load DLL without the full path, Windows attempts to locate the DLL by searching a well-defined set of directories in an order known as DLL Search Order • DLL Planting vulnerability required less effort and easy to get persistence ◦ DllMain() function very easy to gets executed when DLL gets loaded • There are three known categories of DLL planting ◦ Application Directory (App Dir) DLL planting ◦ Current Working Directory (CWD) DLL planting ◦ PATH Directories DLL planting • Please note that not all DLL is loaded
  20. HUNTING - ENGINE & PARSERS • The most complex components

    ◦ No source code, thus, requires reverse engineering • Antivirus engine supports various types of parsers ◦ Executables, documents, archives, packers, media files, etc. • The engine contains emulators to support too ◦ Unpacking, decompression, etc. • Most of the parsers are standard in parsing file formats, decompressing, unpacking, etc. ◦ Some customize but the way it works is still the same • Fuzzing is an efficient way ◦ Then jump to reverse engineering process ◦ If you’re lucky enough, the target might have proper symbols :) • Matalaz mentioned in his book (The Antivirus Handbook), Linux is the best choice to fuzz AV ◦ No sandbox / protection like in Windows

    multiple checks, e.g. are packed samples valid UNTRUSTED INPUT Check for various types of input, e.g. logs, files, signatures, etc. ALLOCATION Look for calculation length, magic value, e.g. check for archives calculation length/allocation File Size Testing file size, including archives, e.g. check parser capability parsing large file size ERROR PRONE FORMATS Examine sign and any calculations, e.g. 32-bit fields TO-DO LIST
  22. HUNTING - UNQUOTED SERVICE • Product uses a search path

    that contains an unquoted element, in which the element contains whitespace or other separators • Mostly happened on Windows Services ◦ Misconfiguration of path binary services ◦ Unquoted and contain spaces • Operating System attempt to run a program from the path ending at the first space character and so on • Does not indicate as a vulnerability since it only works via Admin mode ◦ Useful for persistency maybe?
  23. HUNTING - MISCELLANEOUS SIGNATURE UPDATES The signature updates sometimes use

    non-encrypted traffic. Some were easily MITM and fake the original download. Arbitrary code execution achievable via download update when extracting signature. ADDITIONAL FEATURES These days AVs come with additional features. As an example, AVs bundle with WiFi protection, IoT, Performance Testing, etc. and the features can be abused differently. WEB PROTECTION AV vendor tends to protect users while surfing banking or shopping websites. In some cases, web protection does not stop web spoofing or even 1-day browser exploit. WCF ENDPOINTS WCF is runtime and a set of APIs in the .NET Framework for building connected, service-oriented applications. These days AV components implemented with .NET and use WCF. In some cases, it is trivial to find vulnerabilities in WCF. COMMAND-LI NE BASED AV sometimes uses a command-line or include it as part of scanning activity. In most cases, it is written in C/C++. The command sometimes defines with buffer and quite trivial to spot some issue from there.
  24. HUNTING - MISCELLANEOUS SELF-PROTECTION MECHANISM Self-protection mechanisms mostly implemented in

    popular AV products. Many reason vendors are implementing it, including protecting its services, components, and file path. However, this mechanism can be easily disabled via multiple ways, registry or even IPC. AUTHENTICODE Authenticode usually implemented as part of the engine and the purpose is to detect the validation. Some vendor optimizes its parser to prevent bugs. The more it parses, the more bug can be found. Useful combining reverse engineering and fuzzing. WEB INTERFACE For large scale used of AV, it uses web application to interact between the client and server. It uses the standard web mechanism. LOG & CONFIGURATI ON FILES Log and configuration files sometimes containing useful information such as username, password, and some sensitive information. PROCESS TAMPERING AV uses service/process to work on a different task. Tampering the AV processes could lead to an arbitrary execution. This can be done in many ways such as process hollowing, thread injection, etc.
  25. LONG-TERM HUNTING REVERSE ENGINEERING An effort of reversing the AV

    components could lead to many paths that might indicate as a bug. However, there’s some limitation such symbols. Binary diffing could help to play around with. AUDITING Keep up to AV technology. Vendors slowly moving to new technology such as sandboxing, self-protection, anti-tampering, etc. FUZZING Many components can be fuzz including engine, parsers, command-line, etc. 03 01 02
  26. FUZZING - CORPUS & HARNESS • Understanding of the target

    file format • Corkami provides many inputs on various file formats • Using Google search engine for file type(s) • Test cases from Github / Gitlab ◦ Test case from others (e.g. Project Zero, etc.)

    follow the standard CERT/CC. CERT will help to coordinate with vendors. Failure to cooperate resulting in full disclosure. 90 DAYS We follow 90 days standard of Google P0 when writing an email. Usually, vendors will ack and update us.
  28. DAYS In some cases, we respect vendors’ decision on the

    fix availability. 0-DAYS When other researchers found the same bug and published in a time we report it LOL~ CONTINUE…
  29. VULNERABILITIES AND EXPLOITATION • Low-hanging fruit vulnerability types still exist

    • Windows 10 introduced many security mechanisms ◦ That doesn’t stop the exploitation for the Antivirus • We don’t have to worry about the exploitation when it comes to logical bugs :) ◦ No ASLR, CFG, DEP, etc. required • Memory corruption based issue was still the most in the kernel ◦ For some exploits, we don’t have to waste time writing it • Vendors “used” other vendors’ components ◦ Driver, Signature, Engine, etc. ◦ We can say it is worth to look into, you might achieve multiPWNvendor • The more products you look into, the more you will understand how it works
  30. DISCLOSURE • We raised the issue to vendor (reporting 1

    issue only) on a various channel and this dragged on for many months, but no luck. • We figure out their customers are the government agencies in Malaysia. • We sought advice from friends in the local community (that has link to the government). • National Cyber Security Agency (NACSA) Malaysia treat this seriously. We told them we’ll be disclosing the issue to the public. ◦ Report provided to NACSA • We have to sit for a video conference twice with the government, once with the vendor to present our findings. We presented 12 findings to them LOL~ • It turns out that they had to re-engineer everything¯\_(ツ)_/¯
  31. VULNERABILITY #1 - IOCTL HANDLING • Driver ‘kyrld.sys’ implementation is

    implemented with unsafe method • The IOCTL method (METHOD_NEITHER) implemented are outdated and always prone to vulnerabilities ◦ Microsoft has mentioned this for many years ▪ https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-neither-buffered-nor-direct-i-o • The vulnerability itself is failed to restrict the buffer send to the vulnerable IOCTL. There are two vulnerable IOCTL: ◦ 0x9C402401 - Stack Overflow ◦ 0x9C402405 - Invalid Kernel Pointer • However, only read primitives are allowed.
  32. VULNERABILITY #2 - INFORMATION DISCLOSURE • Log upload policies use

    an insecure transport protocol by sending information in plaintext. ◦ It is found that the global update is transmitted via plaintext. • Attacker could setup MITM or create a fake server and tap into information sent in the traffic. • It sends the computer information as plaintext ◦ Installed files, etc. • We did some reverse engineering on their binary to look for server checking (e.g. certificate, etc.). ◦ We realized that there is no further checking on uploading information to its centralized server.

    packed sample ◦ Change only 2-bytes • We scanned the modified file and figure out the AV service stopped and crash. • We decided to perform some fuzzing on the target ◦ We did dumb fuzzing and found many bugs ◦ Various file formats, packers (some samples “borrow” from Project Zero :) ) • We found another interesting bug where the scanning activity keeps looping on the scanned file LOL~ ◦ We let the scan to run for 12 hours and it keeps scanning that file xD
  34. • We found out that Kyrol Internet Security uses super

    outdated components. • These components are from ◦ MSecure Data Labs (2012) ▪ Driver, GUI and Service ◦ IKARUS Security Software (2009) ▪ Engine and Updates • There’s so many to talk about but we’ll release the rest of the vulnerability in blog after they release new version THE FACTS
  35. DISCLOSURE • We raised an issue with the vendor via

    the official support channel (email). • We sent multiple emails only to be asked if we were paying customers, this annoyed us greatly. • We decided to report to CERT / CC. • CERT / CC helped us contact / coordinate to vendor. ◦ They failed miserably too, LOL~ ◦ Vendor seems to be poor in communication • CERT / CC advise us to go full disclosure ◦ We were assigned to CVE-2019-15512 • We’re not sure if this still an issue (or 0-day)

    Scheduler Service is prone to file abuse operations that run as privilege processes on Windows. • The log file is created, accessed and manipulated with SYSTEM privileges. ◦ C:\ProgramData\TotalDefense\Consumer\ISS\9\ccschedulersvc\ccschedulersvc.log • We find out the folder log has permissive access rights that allow unprivileged users to perform read, write and modification. ◦ The permission was set to “Everyone” group • In this case the bug itself is a logic vulnerability ◦ We don’t have to worry about ASLR, etc.
  37. VULNERABILITY #1 - THE POC (STEPS) • Delete all files

    in ◦ "C:\ProgramData\TotalDefense\Consumer\ISS\9\ccschedulersvc\" • Create a pseudo-symlink named ◦ "C:\ProgramData\TotalDefense\Consumer\ISS\9\ccschedulersvc\ccschedulersvc.log" that points to "C:\Windows\System32\test.dll" • The scheduler service can be restart or wait until the computer gets rebooted. Once rebooted / restarted, it should an create arbitrary file on "C:\Windows\System32\" folder • We could use Diaghub to inject DLL so that we can have code execution
  38. DISCLOSURE • We raised an issue to the vendor via

    support channel (email). ◦ Their support replies first and tried to dispute our findings. • Someone from the research team steps in to take care of the issue. ◦ This team seems to understand what is trying to deliver. • Within a few days of communication, our first bug gets fixed. ◦ Then the second bug took them a bit longer to address. • Pending update from the vendor. We disclose this to the public :)
  39. VULNERABILITY #1 - PRIVILEGE ESCALATION • eScan installation directory are

    given permission "Everyone (F)" to full permission • Although the permission is “Everyone (F)”, it is “well” protected by self-defense protection ◦ Protected via registry • There’s a way we can disable the self-defense protection • Once disabled, we can create or modify files in the installed folder ◦ We found out the AV does not verify if it is a legitimate binary or not • We crafted a simple DLL that pops-up notepad replacing “eslogon.dll” ◦ Resulting SYSTEM privilege

    self-protection to protect its files ◦ This is the reason they left the folder permission to “Everyone” LOL~ • The registry value gets updated via the “escanmon.exe” process. • “Escanmon.exe” responsible for self-protection, this includes all features in the AV such as Firewall. • Since registry modification requires Admin privilege, we could simply use the “escanmon.exe” UI console to disable the protection. ◦ This helps us to bypass the Admin privilege to modify the registry key :) ◦ We could use different way, but this one is a bit easier ;) • Registry value ◦ HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MicroWorld\eConceal\eConceal Firewall\Common ▪ ProPause = 0 ← default value (self-protection enable)
  41. DISCLOSURE • We raised an issue to the vendor via

    support channel (chat). ◦ Their support sends us an email address to report the issue. • ZoneAlarm takes security report seriously ◦ It turns out their Head of Technologies approaching us via email • ZoneAlarm updating us on the matter, explaining the issue that we found ◦ They understand we report the issue is a valid issue however it did not meet their bar to fix. ◦ We were told that not much information being disclosed here. • We’re not sure if this still issue exists or not
  42. VULNERABILITY #1 - INFORMATION DISCLOSURE • ZoneAlarm Antivirus + Firewall

    found to store locally the firewall, OS and pra-Alerts log. ◦ fwalerts.zonealarm.com ◦ osalerts.zonealarm.com ◦ pralerts.zonealarm.com • The log contained a URL that belongs to each of the alerts happened on the users PC ◦ We check the URL in browser and find out the log is stored on the server-side and accessible by public. ◦ It does not support SSL (encryption layer) and the web parameter is hardcoded in GET requests.
  43. URL from log: - http://fwalerts.zonealarm.com/fwalerts/fwanalyze.jsp?V103=AXOElQktIGxFN/kAAD36AAABAAA AAQAAAAEAAAABAAAAooYBADAxMDIJBAIABwAAAQAaAgAAAAAAAAACAAAA//8Q+ZLN21315352621518-1043, ,,,Windows+10+x64-10.0.18362--SP,,ExtBlockAll2,kgef252mx9neega7nv958t26 t80,2,,&CL=en&OEM=1043&SKU=8&Mode=0&Product=ZoneAlarm+Anti-virus URL after

    redirect: - http://fwalerts.zonealarm.com/fwanalyze.jsp?record=ZLN21315352621518-1043/40f3ca7016c 0ef3814a06adb&tab=overview • URL redirected • If we look into the after redirect URL, we can see it will remain to show the value of “ZLN<14 digits>”. After playing around with the value, we figure out we can see other people logs too. We randomly generated “ZLN<14-digits>” value along with Base64 value. ◦ http://fwalerts.zonealarm.com/fwalerts/fwanalyze.jsp?V103=<Base64_value_here_with_88_chars >ZLN<14_digits_random_value>-1033 VULNERABILITY #1 - INFORMATION DISCLOSURE
  44. VULNERABILITY #1 - THE POC • We crafted a proof-of-concept

    in dumb-way • The chance of success is low but it’s still there Generate 14 random digits: >>> import random >>> random.randint(00000000000000,99999999999999) 31684752113453L Generate random chars: >>> ''.join(random.choice('0123456789ABCDEF') for i in range(89)) '5AE6FDF7A6FD62981C9DEC99D8F763FE6DA85312641700347AAE0A9FB01FAC88CD19E8C572521D197E0472C13' Finalize URL: - http://fwalerts.zonealarm.com/fwalerts/fwanalyze.jsp?V103=5AE6FDF7A6FD62981C9DEC99D8F763F E6DA85312641700347AAE0A9FB01FAC88CD19E8C572521D197E0472C13+ZLN31684752113453-1033
  45. VULNERABILITY #1 - INFORMATION DISCLOSURE • Information we found disclosed

    ◦ Source IP address ◦ Destination IP address ◦ TCP Flags ◦ Transport Layer Protocol ◦ Protocol Specific Type ◦ Alert Date ◦ Alert Count ◦ Operating System
  46. DISCLOSURE • We raised an issue to the vendor via

    email ◦ Their vulnerability team acknowledge to our report • Trend Micro ask for further information ◦ Very responsive vendor • Within 2-3 weeks, the fix was shipped ◦ According to vendor, they will ship fix by end of October 2019
  47. VULNERABILITY #1 - MULTIPLE VULNERABILITIES • There are two different

    vulnerabilities found in Trend Micro Pay Guard program. ◦ The first issue found is NULL pointer dereference and insecure library loading. • In our testing, the vulnerability needs to be chained in order to achieve NULL pointer dereference. ◦ There’s a way we can achieve code execution via DLL hijacking but we have limited time to do it. • Initial assessment found the Trend Micro Pay Guard was installed as shortcut in Desktop. The shortcut is basically calling another executable from Trend Micro installation folder • Launching the shortcut, we can see it call “uiProtectedBrowser.exe” and immediately uses Internet Explorer as the browser. ◦ Internet Explorer is hooked by the Trend Micro program and used the ToolbarIE.dll in the browser "C:\Program Files\Trend Micro\Titanium\ShorcutLauncher.exe" -OpenPB

    IE itself is trying to load non-existing DLL from Desktop path ◦ We try to confirm on a different machine to see if it is a 0-day in IE itself or the problem with the Trend Micro program LOL~ • We crafted a dummy DLL to see if it gets loaded, rename it as in the screenshot filename and dropped it at Desktop folder. ◦ DLL failed to load leads to NULL pointer dereference.

    failed to load the DLL and resulting to crash the browser. We observe the program will keep looping for crashing if uiProtectedBrowser.exe program is not kill
  50. • Further investigation found the root cause from ToolbarIE.dll. Resulting

    crash from “ToolbarIE!DllUnregisterServer+0x000114a5” where it failed to unregister the loaded DLL that leads to NULL pointer dereference VULNERABILITY #1 - MULTIPLE VULNERABILITIES
  51. REVIEW OF THE FINDINGS Draw some attention to the Antivirus

    security issue Everyone is using Antivirus, either organizations or individual It might looks like nothing, but the impact is large Vulnerability is everywhere
  52. FOR YOU! Keep auditing Reward bounty and credits Perform large

    scale of fuzzing Focus on offensive research VENDORS CONSUMERS We know it is still relevant, but don't put so much hope Shoot your vendor, if it failed to protect you Careful on what you scan, you might end up "pass-the-malware" For business, avoid delaying AV signature